As the value of cryptocurrencies has risen, illicit cryptocurrency mining has become mainstream – and may have surpassed all other cyber crime, according to security firm Malwarebytes.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

Almost immediately, this was exploited by a cyber crime campaign that was designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretence of recouping server costs.

“Even though mobile devices are not as powerful as desktops, let alone servers, this event showed that no one was really immune to drive-by mining,” the report said, describing these attacks as an automated, silent and platform-agnostic technique that forces visitors to a website to mine for cryptocurrency.

Malvertising, the report said, was a major factor in spreading coin miners to a large audience, as was seen with the YouTube case that involved malicious adverts via Google-owned internet ad service DoubleClick.

“Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous,” the report said, alluding to a Texthelp plugin called BrowseAloud that was compromised and injected with a Coinhive script, leading to hundreds of UK government websites unwittingly participating in malicious cryptomining activity.

To fend off criticism, Coinhive introduced a new API (application programming interface) called AuthedMine that explicitly requires user input for any mining activity to be allowed.

The idea was that considerate site owners would use this more “ethical” API instead, the report said, so that their visitors can knowingly opt in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.

However, according to Malwarebytes’ own telemetry, the opt-in version of the API was barely used (40,000 times a day) in comparison with the silent one (three million times a day) between 10 January and 6 February 2018.

Although the WannaCry ransomware was highly publicised for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least two different groups used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue, the report said.

Servers are the favourite target for cryptocurrency mining attacks – also known as cryptojacking – because servers offer the most computing power to solve the mathematical operations required by cryptomining.

Distributing miners

Several exploit kits, RIG EK in particular, have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, the report said cryptominers are one of the most commonly served payloads in drive-by download attacks.

Mobile users are not immune to cryptomining either, as Trojanised apps laced with mining code are also commonplace, especially for the Android platform. As with Windows malware, malicious app installers for Android tend to have modules for specific functionalities, such as SMS spam and of course miners, the report said.

Legitimate cryptocurrency mining pools that share resources such as Minergate are often used by criminal Android miners, and the same is true for Mac cryptominers. “Advice about sticking to official websites to download applications applies, but is not always enough, especially when trusted applications get hacked,” the report said.

Malwarebytes warned that cryptomining malware provides a good use case for exploiting the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspects, the report said, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.

Although malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be underestimated, the report said.

Unmanaged cryptocurrency miners could seriously disrupt business or infrastructure-critical processes by overloading systems to the point where they become unresponsive and shut down, the report said, noting that under the disguise of a financially motivated attack, this could be the perfect alibi for advanced threat actors.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy